I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

may be changing, according to Jeff Kosseff, an associate attorney with Covington & Burling, LLP. Kosseff specializes in data privacy law, and he spoke on that topic at the Big Data Tech Conference in Boston. We caught up with Kosseff ahead of the conference to ask him a few questions about big data, data privacy, and the law.

SearchSoftwareQuality.com (sSQ): What's the current state of data privacy law?

Jeff Kosseff: In the U.S., the data privacy issues with big data are covered by the same data privacy law as all data right now. It's just a bigger issue, with more visibility when we're talking about bigger sets of data. That means there's more liability under the same laws for big organizations.

The big concern is personally identifiable information. The definitions of personally identifiable information are a little technical and hazy at times, but the gist is that information that can identify individual users is personally identifiable.

The highest priority in personally identifiable data is called sensitive data. That includes information about health records, finances, social security numbers and other uniquely identifiable information like that. After that comes data like names, addresses and consumption habits. These things can also present liability issues to enterprises that store and transmit this data. Another step down from that is data that could be tied to a user in a round-about way. That's a big step down, though, compared to personally identifiable information.

sSQ: What are the things enterprise application developers should be watching out for today?

Kosseff: Companies can definitely face liability suits for data breaches within their applications. If, for example, Company ABC transmits data to Company XYZ and Company XYZ suffers a data breach, Company ABC may be liable. Data breaches are a huge legal problem for companies that fail to abide by the promises they make in their own privacy policies and live up to the legal requirements set out for them. It depends a lot on the contracts involved between the two companies. So it's really important to carefully review all those contracts and see who bares the risk in the event of a data breach.

Jeffrey Kosseff, Associate privacy lawyer, Covington & Burling LLP

Lawmakers are focusing more on data privacy in the past few months than I've ever seen before. There's a solid push to ensure that customer data is not getting compromised. Up until recently, these cases were handled on a case-by-case basis; but now there are companies whose data affects so many people that it's become a much more formal concern for regulators. There's no new data privacy law lined up yet, but any company that works with big data should be aware of the coming changes.

sSQ: What might those changes look like? What are the leading ideas on data privacy law?

Kosseff: The White House has recently reintroduced the Consumer Privacy Bill of Rights Act. This is a general bill covering consumers' rights when it comes to the information that businesses gather about them. It puts limits on the ways businesses can reuse data, encourages more transparency about how data is stored and shared, and gives individuals more access to their information. Many countries in the EU, for example, have similar data privacy laws already on the books. They're not about big data specifically, but big data is not excluded.

In the U.S., there is no blanket data privacy law that covers all data. Instead, data is covered by a patchwork of particular case laws. For example, there's a federal data privacy law that prohibits disclosing an individual's video purchase or rental history, and HIPAA covers how health information can be handled.

The Federal Trade Commission can and does step in when businesses are abusing customer data, but unfortunately there's not a lot of clarity in what constitutes unfair business practices.
Jeffrey Kosseff, Covington & Burling LLP

sSQ: What about a widget manufacturer and their customer records?

Kosseff: Right now, that would be regulated by the Federal Trade Commission. The Federal Trade Commission Act puts a blanket ban on unfair business practices. So the Commission can and does step in when businesses are abusing that data, but unfortunately there's not a lot of clarity in what constitutes unfair business practices. There's a large grey area where two reasonable observers could come to opposite conclusions. Even businesses that are making good faith efforts to protect data privacy might not be compliant.

Kosseff: I recommend what I call "privacy by design." It's about building privacy into every aspect of the development process -- starting from the initial brainstorming and keeping on all the way through deployment and maintenance. Introduce privacy requirements early and ensure that you document your privacy efforts so you can prove data privacy is a primary concern if you should ever be involved with a data breach.

Even if there is never a data breach -- and focusing on data privacy should increase the chances that there won't be -- taking a focus on privacy by design helps build reputation and create business opportunities. When partners and customers know that sensitive data is safe with your applications they'll naturally be more likely to do business with you. A lot of companies have really grown their Web presence by focusing on data privacy as a selling point.

2 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

It's certainly great news that lawmakers are focusing more on data privacy these days, but mainly because it raises awareness about something that concerns everyone. I don't think you should leave it to the law to protect your privacy. You lock your house, why don't you do the same with your data? Encrypt it with software like PGP. Use Tor. Chat via Threema. Don't use dubious services. It's not rocket science!

I agree it’s not rocket science, but it is common sense, and you know the adage about that - it’s not so common. I’m still surprised at the number of people that blindly accept an application or site’s privacy policy or terms of use without even skimming them.